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Abstract — We presented assisted common information as a 
generalization of Gacs-Korner (GK) common information at 
ISIT 2010. Tlie motivation for our formulation was to improve 
upperbounds on the efficiency of protocols for secure two-party 
sampling (which is a form of secure multi-party computation). 
Our upperbound was based on a monotonicity property of a rate- 
region (called the assisted residual information region) associated 
with the assisted common information formulation. 

In this note we present further results. We explore the 
connection of assisted common information with the Gray-Wyner 
system. We show that the assisted residual information region and 
the Gray-Wyner region are connected by a simple relationship: 
the assisted residual information region is the increasing hull 
of the Gray-Wyner region under an affine map. Several known 
relationships between GK common information and Gray-Wyner 
system fall out as consequences of this. Quantities which arise in 
other source coding contexts acquire new interpretations. 

In previous work we showed that assisted common information 
can be used to derive upperbounds on the rate at which a pair of 
parties can securely sample correlated random variables, given 
correlated random variables from another distribution. Here we 
present an example where the bound derived using assisted 
common information is much better than previously known 
bounds, and in fact is tight. This example considers correlated 
random variables defined in terms of standard variants of 
oblivious transfer, and is interesting on its own as it answers 
a natural question about these cryptographic primitives. 

I. Introduction 

If U, V, W are independent random variables, a natural 
measure of "common information" of X — {U, V) and Y ~ 
{U, W) is H{U). Observers of either X orY may produce the 
common part U and conditioned on this common part, there 
is no residual information, i.e., I{X]Y\U) = 0. Gacs-Korner 
(GK) common information IS), lfT6l is a generalization of this 
to arbitrary X, Y . Two observers see X" = {Xi , X2, ■ ■ ■ , Xn) 
and y" = {Yi, Y2, . . . ,Yn), resp., where (Xi, Yi) are indepen- 
dent draws of {X,Y). The observers produce Wi = 
and W2 = /2(-^") which have an asymptotically vanishing 
probability of not matching. GK common information is the 
largest entropy rate (normalized by n) of such a common 
random variable. It was however shown that this value is the 
largest H{U) for which the random variables can be written 
as X = ([/, V) and Y = ([/, W) (where [/, V, W may be 
dependent), i.e., the definition captures only an explicit form 
of common information in a single instance of X, Y . 

At ISIT 2010 we presented a generalization of GK common 
information |13|. In our setup (see Figure [TJ, an omniscient 
genie (who has access to the X and Y sequences) assists 



the users in generating the common random variables by 
sending them messages over rate-limited noiseless links. A 
three-dimensional trade-off region which characterizes the 
trade-off between the rates of the two noiseless links and 
the resulting residual information (defined as the conditional 
mutual information between the source sequences conditioned 
on the common random variable normalized by the length of 
the sequence) was derived. We call this the assisted residual 
information region. When the links have zero rates, we recover 
GK common information. 

Our motivation for this generalization was an application 
to cryptography. Distributed dependent random variables are 
an important resource in the cryptographic task of secure 
multi-party computation. A fundamental problem here is for 
two parties to securely generate a certain pair of random 
variables, given another pair of random variables, by means of 
a protocol. Our main result there was that the assisted residual 
dependency region of the views of two parties engaged in 
such a protocol can only monotonically expand and not shrink 
which immediately leads to upperbounds on the efficiency 
with which a target pair of random variables can be generated 
from another pair This work generalized previous work on 
monotones ifTTl . These works are in the same vein as HI, HJ, 
im, flOl, f9l, fTl, r2l, fT4l which employ information theory 
to derive bounds on efficiency in cryptography. 

In the first part of this paper we explore connections be- 
tween the assisted common information system and the Gray- 
Wyner source coding system of [6J. In the Gray-Wyner system, 
a pair of sources is decomposed into three components: one 
public and two private. Using the public and one of the private 
components, one of the pair of sources must be recoverable, 
while the other source must be recoverable using the other 
private component and the public component. Gray-Wyner 
region is a three-dimensional region which characterizes the 
trade-offs between the rates at which the three components 
can be encoded. 

We show that the assisted residual information region and 
the Gray-Wyner region are connected by a simple relationship: 
the assisted residual information region is the increasing hul H 
of the Gray-Wyner region under an affine map. Several known 
relationships between GK common information and Gray- 
Wyner system fall out as consequences of this. This also leads 

'increasing hull i{S) of a set S C is the set of all s such that 

there is a s' G 5 such that s > s', where the inequality is component-wise. 
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Fig. 1: Setup for assisted common information system. The 
users generate W\ and Wi which are required to agree with 
high probabiHty. A genie assists the users by sending separate 
messages to them over rate-Hmited noiseless links. When the 
genie is absent the setup reduces to the one for Gacs-Korner 
common information. 
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Fig. 2: Setup for Gray-Wyner (GW) system. 



to alternative interpretations (in terms of the assisted common 
information system) to quantities which arise naturally in 
certain other source coding contexts. However, it must be 
noted that the Gray-Wyner region itself does not possess 
the monotonicity property which makes it less-suited for the 
cryptographic application which motivated ifTSl . 

The second half of the paper is a sequel to the cryptographic 
application in I.13J . There we showed an example where our 
upperbound (on the efficiency with which a pair of random 
variables can be securely generated from another pair) strictly 
improved upon bounds from previous results. That example 
was contrived to highlight the shortcomings of prior work. 
Here we give yet another example where the upperbound 
from our result strictly improves on the prior work, but is 
further interesting for two reasons: firstly, the new example is 
based on natural correlated random variables that are widely 
studied (namely, variants of oblivious transfer), and secondly 
the new upperbound we can prove actually matches an easy 
lowerbound and is therefore tight. 

II. Preliminaries 
A. Assisted Common Information System 

We presented the following generalization of GK common 
information at ISIT, 2010 |13|. We call it the assisted common 
information system. 

Consider Figure [T] For a pair of random variables {X, Y), 
we say that a rate pair {Ri, R2) enables a residual information 
rate i?RD if for every e > 0, there is a large enough 
integer n and (deterministic) functions fk : X" x 3^" — > 
{!,..., 2"(^*+^)}, (fc = 1, 2), 51 : X" X {1, ... , 2"(-Ri+'^)} ^ 



Pr (gi (X" , A (X" , r " ) ) ^ .92 (5^" , /2 , 5^" ) ) ) < e, ( 1 ) 
^/(X";y"|gi(X",/i(X",y"))) <i?RD + e. (2) 

Definition 2.1: We define the assisted residual information 
regio^Tlp^,Q\ {X, Y) of a pair of random variables {X, Y) with 
joint distribution px,Y as the set of all (ri, r2, trd) e ]R+'^ for 
which there is a (i?i, i?2, -Rrd) such that ri > Ri, r2 > R2, 
rRD > ^RD, and (i?i,i?2) enables the residual information 
rate Rrq. In other words, 

n/^C\{X,Y)=i{{{Ri,R2,RRD) : {Ri,R2) enables Rm}) , 

where i (S) denotes the increasing hull of 5 C M^_'^; i (S) = 
{s e : s > s' component- wise for some s' e S}. 
We will write 7?.aci when the random variables involved are 
obvious from the context. 

When the two rates from the genie are zero, we recover 
Gacs-Korner common information, Cqk 121, lfT6l . Let -Rrd-o = 
inf{i?RD : (0,0,i?RD) G 7^ACl(^, Then we have the 
following proposition. 

Proposition 2.1: 



CGKiX,Y) = IiX;Y)-Rf,D-o- 
Further 

Rrd-o = inf 



PuiXY--I{X;U\Y)=I{Y-U\X)=0 



(3) 



I{X,Y\U) (4) 



which gives 

CGK(^,i")= sup H{U). (5) 

PuiXY--I{X:U\Y)=I{Y-U\X)=0 

Moreover, Cgk(-'^-^) unless there are X',Y',U' such 
that X = {X',U'),Y = {Y',U'), in which case Cqk = 

maxu,.x=(x\U').Y=(Y' :U') H{U'). 

The proof of this proposition and all other results are 
available in the appendix. The proof of ^ relies on the 
following characterization of TZp^ci which was proved in |13|. 
Let V be the set of all marginal p.m.f's Pu\x,Y such that the 
cardinaHty of alphabet U of U is \X\\y\ + 2. 

Proposition 2.2: 

n^c\{x.Y) = 

U {{I{Y-U\X),I{X;U\Y),I{X;Y\U))} 

\PU\X.Y<S'P 

-We may also define an analogous assisted common information region by 
replacing the definition in l|2} by 

n 

See |13 l for this and its connection to the above definition. In effect, the 
definitions are equivalent as we discuss there. We work with assisted residual 
information region since it has a simple monotonicity property (Theorem |4.1) 
which makes it appealing for deriving bounds for secure two-party sampling. 



B. Gray-Wyner system 

The Gray-Wyner system is shown in Figure |2] It is a source 
coding problem formulated as follows: We say that a rate 3- 
tuple (i?A, ^B, Rc) is achievable if for every e > 0, there is a 
large enough integer n and (deterministic) encoder functions 
/a : A"" X {1,...,2"('^A+'^)}, /b : -Y" X J^" ^ 

{1, . . . , 2"(^B+^)}^ fc : X" X J" ^ {1, . . . , 2"(^<=+^)}, and 
(deterministic) decoder functions g/^c : {1, . . . , 2"'^^*+^^} x 
{l,...,2"(^c+')} X'\ and gee : {1, . . . , 2"(-«B+e)} y. 
{1, . . . , 2"(^<=+')} -> 3^" such that 

Pr (5ac(/a(^", i^"), /c(^", i"")) ^ ^")) < e, (6) 
Pr (5bc(/b(^", r"), /c(^", 5^")) 7^ < e. (7) 

Definition 2.2: The Gray-Wyner region 7?.gw(^7^) is the 
set of all achievable rate 3-tuples. 

We write 7?.gw when the random variables are clear from the 
context. A simple lower-bound to TIq\i\i{X^Y) is 

CG^N{X, Y) = {(i?A, i?B, Rc) ■ Ra + Rc > H{X), Rq + Rc 

> H{Y),R./^ + Rb + Rc> H{X, Y)} 

(8) 

The Gray-Wyner region was characterized in ||6l. 
Proposition 2.3 ((^): 

no^{x,Y) - 

li U {{H{X\U),H{Y\U),I{X,Y-U))} 

\PU\X.Y^'P 

The Gray-Wyner system generalizes the setup for Wyner's 
common information fT9l which is defined as the smallest 
_Rc such that the outputs of the encoder taken together is an 
asymptotically efficient representation of {X, Y), i.e., when 
i?A + -Rb + -Rc = H{X, Y). Using the above proposition we 
have 

Proposition 2.4: 

Cwyner(^, Y) = inf{i?c I (i?A, -Rb, i?c) G UQwiX, Y), 

R/^ + Rb + Rc = H{X,Y)} 
inf I(X,Y;U) 

Pulx.YeV:X~U~Y 

C. Known connections 

The following connections between the two systems are 
known: 

• Gacs-Korner common information can be obtained from 
the Gray-Wyner region ^ Problem 4.28, pg. 404]. 

Cgk(^, Y) = sup{i?c : i?A + Rc = H{X),Rb + Rc 

= F(y),(i^A,i?B,i?c)e7^Gw} (9) 

Alternatively ifTTI . 

Cgk{X,Y) = sup{R:R<I{X;Y), 

{Rc = R}n Caw c 7^Gw} 

(10) 



• Wyner's common information can be obtained from the 
Gacs-Korner system lfT3l Corollary 2.3]. 

Cwy.er{X,Y)=I{X:Y)+ inf R1+R2. 

(fll,fl2,0)eKACI 

(11) 

III. Relationship between Assisted Common 
Information and Gray-Wyner Systems 

Theorem 3.1: Let 7i'Q-^{X, Y) be the image of TIc,\n{X, Y) 
under the affine map fx.Y defined below. 



fx.y 



Then 



i?A 

Rc 



A 



Ra + Rc- H{X) 
Rb + Rc- H{Y) 
R;, + Rb + Rc-H{X,Y) 



n^c\{x,Y) = i{n'Q^{x,Y)). 

Thus, the assisted residual information region 7?.agi {X, Y) 
is the increasing hull of the Gray-Wyner region Tlcm{X,Y) 
under an affine map fx,Y- The map, in fact, computes the 
gap of TZq\;\j{X, Y) to the simple lower bound Cq\j\i{X, Y) of 
(|8]l under a coordinate transformation. The first coordinate of 
TZ'qyj is indeed the gap between the (sum) rate at which the 
first decoder in the Gray-Wyner system receives data and the 
minimum possible rate at which it may receive data so that 
it can losslessly reproduce X". The second coordinate has 
a similar interpretation with respect to the second decoder 
The third coordinate is the gap between the rate at which the 
encoder sends data and the minimum possible rate at which it 
may transmit to allow both decoders to losslessly reproduce 
their respective sources. 

It must, however, be noted that the Gray-Wyner region 
itself does not possess the monotonicity property of TZp^ci 
which leads to Theorem 14.11 and is therefore less-suited for 
the cryptographic application which motivated lfT3]| . 



The two points we noted in Section II-C fall out of Theo- 
rem |3T| 

Corollary 3.2: 

CoKiX, Y) = sup{i?c ■.Ra + Rc = H{X),Rb + Rc 

= H{Y),{R/,,Rb,Rc) enGwiX,Y)} (9) 
= sup{i? : R < I{X;Y), 

{Rc = R}n Cgw{X, Y) C 7^Gw(^, Y)} 

(10) 

Corollary 3.3: 

Cwyner (X, F ) ^ /(X ; F ) + inf i?l + i?2 . 

(11) 

Analogous to the definition of i?RD-0' we define the axes 
intercepts on the other two axes. 

i?i_o = inf{i?i : (i?i,0,0) e7^AGl} 
i?2-o = inf{i?2 : (0,i?2,0) eTeACi} 



i?i_o (resp., -R2-0) is the rate at which the genie must commu- 
nicate when it has a link to only the user who receives X (resp. 
Y) source so that the users can produce a common random 
variable conditioned on which the sources are independenj^ 
Using Proposition |2.2| we can show that 



Ri- 



inf 

Puix.YeV:I{X-U\Y)=IiX;Y\U)=a 



R2-Q = inf 

Puix.YeV:I{Y-U\X)=IiX;Y\U)=0 



IiY;U\X), 
IiX;U\Y). 



(12) 
(13) 



These quantities were identified in |17 | and shown to posses 
a monotonic property in the context of secure two-party 
sampling (a result which f\3\ generalized). 

As we will show below, this pair of quantities is closely 
related to a pair which has been identified elsewhere in the 
context of lossless coding with side-information 1121 and the 
Gray-Wyner system 1.1 LI . Let (following the notation of ifTTl ') 



G{Y X) 
= M{Rc : 

G{X Y) 
= mf{Rc : 



iHiX\Y),H{Y) - RcRc) e 7^Gw(^, Y)}, 



{H{X) - Rc, H{Y\X),Rc) e TZevjiX, Y)}. 



own outcome. This is an important special case of secure 
multi-party computation, a central problem in modern cryp- 
tography. 

However, it is well-known (see for instance ifTSll and ref- 
erences therein) that very few distributions can be sampled 
from in this way, unless the computation is aided by a set 
up — some correlated random variables that are given to the 
parties at the beginning of the protocol. The set up itself will 
be from some distribution {X, Y) (Alice gets X and Bob gets 
Y) which is different from the desired distribution {U,V). 
The fundamental question then is, which set ups {X, Y) can 
be used to securely sample which distributions ([/, V), and 
how efficiently. 

We restrict ourselves to the setting of honest-but-curious 
players. In this case, the requirements on a protocol 11 for 
securely sampling {U, V) given a set up {X, Y) can be stated 
as follows, in terms of the outputs and the views of the parties 
from the protocol]^ 

iU,V) 



iuzLix,Y),u'^-:^ix,Y)) 



It has been shown |l2|, |11| that G{Y X) is the 
smallest rate at which side-information Y may be coded and 
sent to a decoder which is interested in recovering X with 
asymptotically vanishing probability of error if the decoder 
receives X coded and sent at a rate of only H{X\Y) (which 
is the minimum possible rate which will allow such recovery). 
Further, ifTTI arrives at the maximum of G{Y X) and 
G{X — > Y) as a dual to the alternative definition of Cqk 
in ( fTO] ) from the Gray-Wyner system. 

We have the following relationship between the two pairs 
of quantities. 

Corollary 3.4: 

GiY 
G(X 

Further, 



TTVICW 

^^Alicc 

TTOUt 



{X, Y) o litUX, Y) o n^l(x, Y) 

(X, Y) o n^l(x, Y) o ntlZix, Y) 



These three conditions correspond to correctness, security 
against a curious Alice and security against a curious Bob, 
respectively. 

In HJl, we showed that the region 7?.aci can be used as 
a measure of cryptographic complexity of correlated random 
variables (a smaller region 7?.aci corresponding to a higher 
complexity), in that the rate at which a pair (C/, V) can be 
securely sampled given a set up {X, Y) can be upperbounded 
by the ratio of their complexity measures. More formally, there 
we presented the following result. (For completeness, a proof 
is provided in the appendix.) 

Theorem 4.1 ([13]): If ni independent copies of a pair 
of correlated random variables (C/, V) can be securely 
realized from ^2 independent copies of a pair of cor- 
related random variables {X,Y), then ni7?.ACi(-''^; ^) ^ 
'T'2^ACi(t^i ^) (where multiplication by n refers to n-times 
inf{i? : R > I{X; Y), {Rc = R) n Cgw{X, Y) C 7^Gw(^, r)}repeated Minkowski sum). 

In 1 13 1 we gave an instance of pairs {U,V) and {X,Y) 



X) 
■Y) 



I{X;Y) + Ri^o, 
I{X;Y) + R2-o- 



(14) 
(15) 



= max(G(r ^ X),G(X ^ r)) (16) 
= /(X;y)+max(i?i_o,i?2-o). (17) 
IV. Cryptographic application 

The cryptographic problem we consider is of 2-party secure 
sampling: Alice and Bob should sample correlated random 
variables {U, V) (Alice getting U and Bob getting V), such 
that Alice's view during the sampling protocol reveals nothing 
more to her about Bob's outcome V than what her own 
outcome U reveals to her, and similarly Bob's view reveals 
nothing more about Alice's outcome than is revealed by his 

^Though the definition allows for zero-rate communication to the other 
user and a zero-rate (but non-zero) residual conditional mutual information, 
it can be shown from the expression for these rates in {T2j-jT3j that there 
is a scheme which achieves exact conditional independence and requires no 
communication to the other user. 



such that the upperbound on the rate at which instances of 
{U,V) can be securely sampled from instances of {X,Y) 
that is implied by the above result strictly improved on the 
upperbounds that could be derived from previous results. 
These pairs were contrived to highlight the shortcomings of 
prior work. Here we give yet another example where the 
upperbound from our result strictly improves on prior work, 
but is farther interesting for two reasons: firstly, the new 
example is based on natural correlated random variables that 
are widely studied (namely, variants of oblivious transfer), and 
secondly, the new upperbound we can prove actually matches 
an easy lowerbound and is therefore tight. 

"^Here we state the conditions for "perfect security," but our definitions 
and results generalize to the setting of "statistical security," where a small 
statistical eiTor is allowed. 



A. A New Example 

We now discuss the new example where our upperbound 
is not only strictly better than the previously best available 
upperbound, but is also tight. 

Example 4.1: Let Sa,i, Sa,2, Sb,i, Sb,2 G {0,1}^ and 
Ca,Cb G {1j2} be six independent random variables all 
of which are uniformly distributed over their alphabets. Con- 
sider a pair of random variables X, Y defined as X — 

{Ca, Sa,i, Sa,2, Sb,Ca) ^ (Cb, Sba, Sb,2, Sa.Cb)- 
Notice that these are in fact a pair of independent string- 
oblivious transfers (string-OT's) of string length L in opposite 
directions. Let U,V he a pair of random variables whose joint 
distribution is the same as that of X, Y, but with L = 1. 
In other words, U,V are a pair of independent bit-OT's in 
opposite directions. The goal is to characterize the efficiency 
with which we may securely generate independent instances 
of U, V from independent instances of X, F for L > 1. Here 
efficiency is the supremum of n2/ni over secure sampling 
schemes which produce n2 independent copies of {U, V) from 
ni independent copies of {X,Y). 

It is easy to see that TZ/i,ci{X,Y) intersects the co-ordinate 
axes at (1 + L, 0, 0), (0, 1 + L, 0), and (0, 0, 2L). From, these 
we can immediately obtain the upperbound of |17| on the 
efficiency, namely (1 + L)/2. Notice that this is dependent 
on L and would suggest that (several) long string-OT pairs 
can be turned into several (more) bit-OT pairs. However, as 
we show below, the efficiency of conversion is just 1, i.e., the 
best one can do is to turn each pair of string-OT's into a pair 
of bit-OT's. 

We will show that inf{i?i + i?2 : (i?i,i?2,0) G 
HAoiU^V)} = 2. But, (1,1,0) e 'Rf,c\{X,Y). This can 
be seen by setting Q = {Ca,Cb, Sa.Cb^ Sb,Ca) for which 
(i?i,i?2,i?RD) = (1,1,0). Thus, M{Ri+R2: (i?i,i?2,0) G 
TZfic\{X,Y)} < 2. Hence, from Theorem |4. 1 [ we may con- 
clude that the efficiency of conversion we are after is 1. 

It only remains to characterize inf{i?i + R2 : {Ri, i?2, 0) G 
TZfi,c\{U,V)}. The following lemma, which is proved in the 
appendix, provides the required characterization. 

Lemma 4.2: 

mi{Ri + i?2 : (i?i, i?2, 0) G 7^ACl(t/, V)} = 2. 
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Appendix 



Proof of Propo.sition 2.1 



GK common information Cqk is defined as the supremum 
of the set of R such that for every e > there are maps 
gi : A"" — > Z, and 52 : 3^" ^ for a sufficiently large n 
which satisfy 

Pr(5i(X")^.92(r"))<e, (18) 
1 



-H{g^{X-)))>R 



(19) 



An alternative defintion which allows for a genie with zero- 
rate links to the users is given below. It is easy to see that this 
can only lead to a larger value. But as we will show, the 
definitions are in fact equivalent. 

Let Cqi^ be the supremum of the set of R such that for 
every e > there are maps fk : Af" x J^" {1, . . . , 2"*^}, 
{k = 1,2), gi : Af" x {1,...,2"'^} Z, and .ga : y x 
{1, . . . , 2"*^} — > Z for a sufficiently large n which satisfy ([T]) 
and 

-H{a^{X\f,{X\Y-)))>R-e. 



I{Y- U\X) = I{X, Y; U) - I{X- U) = H{X\U) + I{X, Y; U) - H{X), (20) 
I{X; U\Y) = I{X, Y; U) - I{Y; U) = H{Y\U) + I{X, Y\ U) - H{Y), and (21) 
I{X; Y\U) = H{X\U) + H{Y\U) - H{X, Y\U) = H{X\U) + H{Y\U) + I{X, Y; U) - H{X, Y). (22) 



Clearly, Cq^ > Cqk- We first show 

C'qk = I{X:Y)-Rhd-o- 
Let U = Then 

I{X'';Y"\U) + H{U) 

= J(X"; r"|C/) + /(X", F"; U) 

= y") - u) - u) 

= J(X"; r") + /(X"; U\Y") + /(F"; C/|X") 
> nI{X:Y). 
Therefore, if the maps satisfy (|2]i, then 

H{U) > nI{X; Y) - /(X"; 

> y) - n(i?RD + e) 

= n(/(X;y)-i?RD-e) 



(20) 



which implies pO| ). 

With Cqk replaced by Cq|<;, we can prove as follows: 

Q follows from Proposition |2.2[ Q and ([3]l imply (|5]l. 
See |[T3, section II. B] for a proof from (|5]l of the explicit 
characterization stated at the end of the proposition. Since 
this explicit form can be achieved without any communication 
from the genie, it follows that Cq,^ = Cqk- 



Proof of Theorem \3.1\ 
It is easy to prove the above theorem from the single-letter 
expressions for the regions in propositions |2.2| and |2.3| by 
making use of the mutual information equalities (|20|-(|22l) at 
the top of the page. 



Proof of Corollary \3.2\ 

sup{i?c : i?A + i?c = H{X), 

i?B + Rc = H{Y), (i?A, Rb, Rc) e 7^Gw} 
sup{i? : (0, 0, 1{X; Y) - R) e 7^U} 
snp{R : (0, 0, 1{X; Y) - R) e TeACi}, 

where (a) follows from the definition TZq^j = /(^Gw)- The 
< direction of (b) follows directly from Theorem |3.1| But < 
cannot hold since if (0, 0, 1{X; Y) — R) E Tlp,c\, then there is 
a R' > R such that {0,0, 1{X;Y) - R') e 7^^\^. Finally, (c) 
follows from Proposition |2.1| 

To arrive at the alternative form, we verify the equivalence 
of the two forms. 

{R:R< I{X; Y),{Rc = R} D Cqw C 7^Gw} 
= {Rc:Ra + Rc=H{X), 

Rb + Rc = H{Y), {Rf,, Rb, Rc) e TZgw}- 



C: if R< I{X;Y), then {H{X)-R,H{Y)~R,R) e {Rc = 
R} n Cqw 

D: Let s = {H{X) - Rc, H{Y) - Rc, Rc) e 7^Gw■ Then (a) 
Rc < I{X; Y) since s e ^gw, and (b) if s' = (rA, rg, Rc) G 
Cqvj, then since ta > H{X) — Rc and > H{Y) — Rc, we 
have s' > s (component-wise) which implies that s' E TZqw 
from the definition of the GW system. ■ 
Proof of Corollary \3.3\ 



Cwyner — inf{i?C : (-^A, Rb, Rc) G ^GWi 

Ra + Rb + Rc = H{X,Y)} 

'^^ M{Ri+R2 + I{X;Y) : i?2, 0) G 7^U} 

inf{i?,i + i?2 + /(X; y) : (i?i,i?2,0) G 7^ACl}, 

where (a) follows from the definition TZq^j = /(7?.gw); (b) 
follows from Theorem |3.1| > direction follows directly from 
the theorem. But > cannot hold, since by the theorem, if 
(i?i,i?2,0) G 7?.ACI then there exists {R[,R'2,0) G T^qw ^tich 
that R[ < Ri and i?2 < i?2- 



Proof of Corollary \3.4\ 

G{Y ^ X) 

= mi{Rc : {H{X\Y),H{Y) 



Rc, Rc) G ''^Gw}, 



(a) . 



inf{i?: {R- I{X;Y), 0,0) en'Qy^} 



(b) 



inf{i?: (i?-/(X;y),0,G) G7^ACl} 

^1-07 



= I{X;Y) 



where (a) follows from TZq^j = /{TIgvj)- (b) is a consequence 
of Theorem 13. 11 And (c) follows from the definition of Ri-q. 



Similarly we get ([TSj. The equality (16\ is proved in ifTTI 
which along with ([l4ji-([T5|l implies ^Vf) . 



Proof of Theorem 4.1- The theorem is in fact corollary 
3.2 of lfT3]| which follows immediately from Theorem 3.1 of 
fT^ and the following lemma: 

Lemma A.l: Let the pair of random variables {Xi,Yi) be 
independent of the pair {X2,Y2). If X ^ {Xi,X2) and Y = 
(yi,y2), then 

7^AGl {X, Y) = 7^ACl (^1 , ^1 ) + TeAci (^2 ,12). 

For completeness, we give a proof of Theorem 3.1 of ifTSll 
below since the proof was not provided there. This also 



contains a proof of Lemma A.l (see (d) below). Please refer 
lITJI for notation and a statement of the theorem being proved 
below. 



We show that under each step of a secure protocol, 7?.aci 
can only grow. 

(a) Local computation cannot shrink it: For all random vari- 
ables with X - r - Z, we have 7^ACl {X, YZ) D 7^ACl (X., Y) 
and n;,c\{XY,Z)DnAa{X,Y). 

The first set inclusion follows from the fact that for the joint 

p.m.f. Px,Y,z,Q = Px,yPz\yPq\x,y 

I{X;Y,Z\Q)^I{X;Y\Q) 
I{Q;Y,Z\X)^I{Q;Y\X) 
I{X;Q\Y,Z)^IiX;Q\Y). 

(b) Communication cannot shrink it: For all random vari- 
ables {X, Y) and functions / over the support of X (resp, 
Y), we have TZ/^aiX, (Y, /(X))) D 'Rf,c\{X,Y) (resp, 
Tlf,c\{{X,f{Y)),Y) D 7^ACl(^,i")). 

The first set inclusion follows from the following facts for 
the joint p.m.f px.y.z.Q = Px.yPz\yPq\x,y- 

I{X; Y, f{X)\Q, f{X)) - I{X; Y\Q, f{Xj) 

<I{X;Y\Q) 
I{X- Q, f{X)\Y, f{X)) = I{X- Q|y, f{X)) 
<I{X-Q\Y) 
I{Y;QJ{X)\X)=I{Y;Q\X) 

(c) Securely derived outputs do not have a smaller region: 
For all random variables X, U, V, Y such that X — U — V and 
f/ - 1/ - y, we have TZAC\iU, V) D 7^ACl((^, U), {Y, V)). 

This follows from the following facts for (dependent) ran- 
dom variables X, Y, U, V, Q which satisfy the Markov chains 
X -U ~V andU ~V -Y: 

I{X,U;Y,V\Q)>IiU;V\Q), 

I{X, U; Q\Y, V) = I{X, U- Q, Y\V) - I{X, U; Y\V) 

{I{U;Q,Y\V)+I{X;Q,Y\U,V)) 
-IiX;Y\U,V) 

>I{U;Q\V), 

and similarly 

I{Y,V;Q\X, U)>IiV;Q\U), 

where we used U — V — Y to obtain equality (a). 

(d) Regions of independent pairs add up: If {X,Y) is 
independent of {U,V), we have n/^aiiX,U), {Y,V)) ^ 
n/^C\{X,Y) + nfi,c\{U,V). This follows easily from the fol- 
lowing facts: 

For the joint p.m.f. Px,yPu,vPQi\x,yPQ2\u,v, we have 
/(X [/; Y, V\Qi,Q2) = HX; Y\Qi) + I{U, V\Q2) 
I(X, U; Qi,Q2\Y, V) = I{X; Qi\Y) + I{U; Q2\V) 
I{Y, V; Qi,Q2\X, U) = I{Y; Q^\X) + I{V; Q2\U) 
And, for the joint p.m.f Px,yPu.vPq\x.y,u,v^ we have 
I{X, U; Y, V\Q) > I{X- Y\Q) + I[U: V\Q) 
I{X, U- Q|y, V) > I{X; Q\Y) + I{U- Q\V) 
I{Y, V; Q\X, U) > I{Y- Q\X) + /(F; Q\U) 



Proof of Lemma 4.2 



By Lemma [AT| we need only characterize the inf {i?i+_R2 : 
(i?i,i?2iO) € 72.AC1} of one of the pair of independent 
bit-OT's. Let us denote one bit-OT by A, B: where A = 
{Si, S2) € {0, 1}^ uniformly distributed over its alphabet and 
B — {C,Sc), where C £ {I72} is independent of A and 
uniformly distrbuted over its alphabet. By Proposition |2.2| 



inf {i?i + R2 : {Ri , i?2 , 0) e 7^ACl {A, B)} 

inf I{B;Q\A)+I{A;Q\B) 

PQlA,BeV:IiA:B\Q)=0 

^H{A\B) + H{B\A) 

sup H{A\Q,B) + H{B\Q,A). 

PQlA.B&'P:UA:B\Q)=0 

We show below that the sup term is 1. Since H{A\B) + 
H{B\A) — 2, this will allow us to conclude that the smallest 
sum-rate of 7?.rd(0) of A, i? is 1. Invoking the lemma above, 
the corresponding smallest sum-rate for U, V is then 2 as 
required. 

To show that the sup term is 1, notice that the only valid 
choices of Pq\a.b such that I{A; B\Q) — 0. This means 
that the resulting Pa.b\q{-j k) must belong to one of eight 
possible classes shown in Figure [3b] (for any q with non-zero 
probability pqiq); we may assume that all g's have non-zero 
probability without loss of generality). Recall that there is a 
cardinality bound on Q; let us denote the alphabet of Q by 
{qi, q2, . ■ . , (/at}, where N is the cardinality bound. 

We will first show that there is no loss of generality in 
assuming that no more than one of the q^'s is such that its 
Pa,b\q{-, -iQi) belongs to the same class (and hence we may 
take N = 8). Suppose, qi and 52 belong to the same class, 
say class 1, with parameters pi and p2 respectively. Then, if 
we denote the binary entropy function by H2{ ), we have 

H{A\Q,B)+H{B\Q,A) 

N 

= Y.PQ^1^~^ {H{A\B, Q = qk) + H{B\A, Q = q^)) 
fc=i 

^ PQ{qi)H2{pi) + PQ{q2)H2{p2) 
N 

+ Y.PQ^I"^ {H{A\B, Q = qk) + H{B\A, Q - q^)) 

k=3 

( \ , f WTj f pq{h)pi + PQ{q2)p2\ 

< (PQ 91) +Pq{Q2))H2 — — , . 

V PQ{H) + Pq{<12) J 

N 

+ ^Pgiqk) {H{A\B, Q = qk) + H{B\A, Q = q^)) , 



fc=3 

where the inequality (Jensen's) follows from the concavity 
of the binary entropy function. Thus, we can define a Q' of 
alphabet size — 1 where letters qi , 52 are replaced by go 
such that pQ'((?o) = Pqiqi) +Pq(92), and PA,B\Q'=qo is in 
class I with parameter while maintaining 

for i = 3,..., TV, PQ'{qi) = PQiq,) and PA,B|Q'(a> = 
PA.B\Q{o,^Mqi)- (It is easy to verify (a) that this gives a valid 




/'^ie(->-l?i) 





/'^lfi(->-l9iii) 




P^ie(-'-l?iv) 




(a) 



PAB\ci.-A<ly) 



P^S|e(-.-l?vi) 



/'^Bie(-'-l?vii) 



(b) 



P^SleC-J-l^viii) 



Fig. 3: (a) Joint p.m.f. of A, B. Each solid line represents a probabUty mass of 1/8. (b) Eight possible classes that Pa,b\q{--, -I?) 
may belong to for a Pq\a,b which satisfies I{A; B\Q) = 0. 



joint p.m.f. for pa,b,Q', (b) that the induced pa,b is the same 
as the original, and (c) that the induced pq>\a,b satisfies the 
condition I{A;B\Q') = 0.) Then, the above inequality states 
that 

H{A\Q, B) + H{B\Q, A) < H{A, Q', B) + H{B\Q' , A) 

proving our claim. 

Thus, without loss of generality, we may assume that N = S 
and Pa,b\q{-j -Ift) belongs to class i. Notice that 



PQ\A,Biqi\oo, 10) +pq 

PQ\A,Biq2\01, io)+pq 
Pq|A,b('?2|01,21) +pq 
Pg|A,i3(93|ll,21) +pq 

Pq|a,s(93,11,11) +Pq 
Pq|a,s(94|10, 11) +Pq 

Pq|a,b(94|10,20) +Pq 
PQ\A,B{qi\00,^Q) + PQ 

Let us define 

A 





00, 10) 


= 1, 


A.Biqa 


01,10) 


= 1, 


A.Biqe 


01,21) 


= 1, 


A,B{q6 


11,21) 


= 1, 


A,B{q7 


11,11) 


= 1, 


A,b(?7 


10,11) 


= 1, 


a,b('78 


10,20) 


= 1, 


A,b{Q8 


00, 20) 


= 1. 



Pi = PQ\A,B{qi\oo, 10), 



A 



P2 =PQ|A,s(92|01,21), 



A 



P3 =Pq|a,s(93|11,11), 

Pi =PQ|A,B(g4|10,20), 

Let us evaluate H{B\Q,A) in terms of the above parame- 



P5 =Pq|a,b(55|01,10), 
P6 =Pq|a,s(96|11,21), 
P7 =Pq|a,b(97|10, 11), 
P8=Pq|ab('?8|00,20). 



ters. Notice that H{B\Q = qi, A) = Q for i = 5, ... ,8. Hence 
H{B\Q,A) 

PQ,A{q^ a)H{B\Q = q,A = a) 



(g,a)e{(l,00),(2.01). 

(3ai),(4,10)} 

Pi + jl-ps) ^ 



Pi 



, P2 + (1-P5) tr 

+ ^ 

, P3 + (1-P6) „- 

+ ^ 

^ Pi + jl-pi) 



pi + (1 - ps) 

P2 



P2 + (1 -Ps) 
P3 

P3 + (1 - Pe) 

P4 

P4 + (1 - Pt) 



< 



4 + Ei=i^» -EjLsPj 



where the inequality follows from the fact that binary entropy 
function is upperboimded by 1. Similary, we can get 

^4 



HiA\Q,B) < 



4 + Ej=5Pj-Ei=iPi 



Combining, we obtain the desired 

H{B\Q,A) + H{A\Q,B) < 1. 



